General

  • Target

    c6d687a93a119f80b232d0a5430be96c_JaffaCakes118

  • Size

    480KB

  • Sample

    240828-ph4w7axgnc

  • MD5

    c6d687a93a119f80b232d0a5430be96c

  • SHA1

    dd3f1bf68e89370150e258793d0da4f1decda5c2

  • SHA256

    1b258545e9107c34a16fdd668427521cf639f430fcad337c8c709f779a031a5e

  • SHA512

    c283961aa63a13031234ea2ef7fcc69287e5ca831945dd1d38b2d8e6e8195b5ef0825dfbc59d9ac4cff4e2d75c789e0fedb36b13158499cf7f441fdb433dbbbc

  • SSDEEP

    12288:N26YCaL0/TbBktszrqSldEXkNHhyOxSoIo/jnBA:g6naABk+qSsXkNHYuxhbB

Malware Config

Extracted

Family

netwire

C2

79.134.225.58:3360

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    79.134.225.58

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password2019@

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      c6d687a93a119f80b232d0a5430be96c_JaffaCakes118

    • Size

      480KB

    • MD5

      c6d687a93a119f80b232d0a5430be96c

    • SHA1

      dd3f1bf68e89370150e258793d0da4f1decda5c2

    • SHA256

      1b258545e9107c34a16fdd668427521cf639f430fcad337c8c709f779a031a5e

    • SHA512

      c283961aa63a13031234ea2ef7fcc69287e5ca831945dd1d38b2d8e6e8195b5ef0825dfbc59d9ac4cff4e2d75c789e0fedb36b13158499cf7f441fdb433dbbbc

    • SSDEEP

      12288:N26YCaL0/TbBktszrqSldEXkNHhyOxSoIo/jnBA:g6naABk+qSsXkNHYuxhbB

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks